Feds say only Chryslers were vulnerable to hacks via radio, not Audi or Volkswagen

U.S. auto safety regulators have determined that only infotainment centers from Fiat-Chrysler Automobiles (FCA) had a security flaw that could allow hackers to take control of Jeeps and several other model cars and trucks.

Last summer, Fiat-Chrysler recalled 1.4 million Jeep, Chrysler, Dodge and Ram vehicles that had the security flaw.

After a five-month investigation into cyberhacking vulnerabilities, the National Highway Traffic Safety Administration (NHTSA) said only FCA vehicles, and no others, were vulnerable to the hack.

Audi Volkswagen and Bentley were also part of the NHTSA's investigation because they use the same infotainment center as Chrysler vehicles, which are made by Harman and used a similar Uconnect operating system.

"According to Harman, vulnerabilities identified by FCA are not present in the head units supplied to Audi and Bentley given the distinct hardware components and software architectures of these varying infotainment systems," the NHTSA stated in a report released Friday.

Additionally, Harman products supplied to Volkswagen contain software features and protocols unique to respective vehicle systems. Audi provided materials to the NHTSA explaining why its infotainment technology provided increased safety and security. According to Audi, mobile online services and Wi-Fi connectivity are located on a separate hardware module, and vehicle systems are designed to use communication domains that are separated by a gateway.

The FCA recall followed a video published by two security experts who collaborated with Wired magazine to demonstrate how they could remotely control a Jeep Cherokee using a laptop computer.

The hackers were able to use the cellular connection to the Jeep's entertainment system, or head unit, to gain access to other systems. The head unit is commonly connected to various electronic control units (ECUs) located throughout a newer vehicle. There can be as many as 200 ECUs in a vehicle.

According to the NHTSA's Office of Defects Investigation, the security architecture implementations in the infotainment head units supplied to other manufacturers are distinct from the Uconnect Access units provided to FCA from Harman.

Audi and Bentley also installed infotainment devices with countermeasures, including multilayered security implementations and partitioned communication domains to reduce security vulnerability risks and mitigate or prevent cyberattacks, the NHTSA stated.

"Additionally, these other vehicles interacted with vehicle networks outside the infotainment system differently," the NHTSA's report stated.

The NHTSA also stated that FCA and its network provider, Sprint, conducted a nationwide campaign to block access to a radio communications port that was unintentionally left open. On July 27, 2015, short-range wireless vulnerabilities were also blocked. Finally, third-party security evaluation and regression testing identified vulnerabilities that were either remedied by Sprint or through updates to the FCA Uconnect software.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.